End of the EU's Data Retention Saga? CJEU Clarifies Conditions for State Surveillance Regimes

Background and Issue 

On October 6, 2020, the CJEU adopted several rulings addressing data retention obligations contained in the national security laws of the United Kingdom (Case C-623/17 Privacy International), France, and Belgium (joined Cases C-511/18 La Quadrature du Net and Others, C-512/18 French Data Network and Others, and C-520/18 Ordre des barreaux francophones et germanophone and Others). The Court held that the legal frameworks in these countries must not require ECS providers to carry out general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime or safeguarding national security. 

These rulings are the latest of a series of CJEU decisions—including joined cases C-203/15 and C-698/15 Tele2 Sverige and Watson and Others; and joined cases C-293/12 and C-594/12 Digital Rights Ireland and Others—that prohibit EU Member States from requiring ECS to retain all traffic and location data of their users in a general and indiscriminate manner (see our related publications, "The Data Retention Saga Continues: European Court of Justice and EU Member States Scrutinize National Data Retention Laws" and "EU Data Retention Directive Declared Null and Void: What is Next and How The Ruling Has Been Received in the Member States"). 

The CJEU was asked, inter alia, to determine whether national legislation can require ECS providers to forward their users' traffic and location data to a public authority, or to retain such data, in a general or indiscriminate manner for the specific purpose of safeguarding national security.  

National Security vs. Privacy 

Despite the fact that national security is a competence of the EU Member States, the CJEU confirmed that Directive 2002/58/EC of July 12, 2002—concerning the processing of personal data and the protection of privacy in the electronic communications sector ("E-Privacy Directive")—applies to national legislation that require ECS to forward or retain data for the purpose of safeguarding national security.  

Therefore, EU Member States adopting legislative measures that restrict the scope of the rights and obligations provided by the E-Privacy Directive (e.g., obligations to ensure the confidentiality of communications and traffic data) must ensure that these measures comply with general principles of EU law (such as the principle of proportionality) and the fundamental rights provided by the EU Charter of Fundamental Rights. Accordingly, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that their data will be effectively protected against the risk of abuse.  

ECS vs. Other Information Society Services 

The CJEU stressed that issues relating to the confidentiality of communications and personal data have to be assessed in light of the E-Privacy Directive or the General Data Protection Regulation, depending on the types of services provided. Therefore, the CJEU clarified that obligations imposed on providers of information society services, cloud providers, and web-based email services would also have to follow the principles set out by the Court for ECS. 

Massive vs. Targeted Surveillance 

The Court said that general and indiscriminate retention of traffic and location data for the purpose of combating crime or safeguarding national security is not allowed under EU law, except in limited circumstances: 

• Where an EU Member State is under a serious threat to national security that proves to be "genuine and present or foreseeable," the CJEU held that such Member State may order ECS to retain traffic and location data, generally and indiscriminately, but only for as long and in so far as it is strictly necessary for such a genuine threat. In addition, the order must be subject to effective review either by a court or by an independent administrative body whose decisions are binding. 
• General retention of IP addresses is, however, permitted, but it has to be temporary.
• General retention of civil identity of users of electronic communications systems may also be ordered without storage limits. 

In addition, the CJEU stressed that retention of traffic and location data must be targeted and limited on the basis of objective and nondiscriminatory factors, according to the categories of persons concerned or by using a geographical criterion. 

Real-Time vs. Non-Real Time 

The Court recognized that EU Member States may require providers of ECS to collect traffic and location data in real time, provided that such collection is either:  

• Based on a genuine and present or foreseeable serious threat to national security, subject to ex post review (as explained above); or 
• Concerns only persons suspected of being involved in terrorist activities and is subject to prior authorization by a court or an independent administrative body.  

International Data Transfers 

The CJEU rulings will have an important impact on any assessment of adequacy necessary for international data transfers, including to the United Kingdom after December 31, 2020, the end of the Brexit Implementation Period. The rulings may make it less likely that the United Kingdom will be granted an adequacy decision by the EU Commission for the transfer of personal data from the European Union to the United Kingdom from 2021 (unless there is a specific agreement between the EU and UK in the ongoing Brexit negotiations). The ruling could be interpreted as a confirmation that the United Kingdom does not provide an adequate level of protection of personal data because of its surveillance laws. 

In the wake of the annulment of the EU-U.S. Privacy Shield in July 2020, the criteria set out by the CJEU will also be relevant for data transfer from the European Union to the United States, whether in relation to the adoption of an updated EU-U.S. Privacy Shield or any future assessment of use of Standard Contractual Clauses. The conditions may also potentially help with the screening of third-country legislation and risk when assessing whether it is possible to rely on EU Standard Contractual Clauses to specific countries following the Schrems II decision. 

Not Yet the End of the Data Retention Saga 

This is not the end of the data retention story for the CJEU as another request for a preliminary ruling is still pending to address the retention of traffic and location data for four- and 10-week periods respectively under German statutory law (ECJ, SpaceNet, Case C- C-793/19). This case was referred to the ECJ by the German Federal Administrative Court (Ruling of September 25, 2019, BVerwG 6 C 12.18, English summary of the request for a preliminary ruling), which emphasized in its preliminary request that it considers that the German data retention law contains sufficient protective measures to justify the interference with fundamental rights. Nevertheless, the German telecom regulator announced that it will not enforce data retention provisions until compliance with EU law is clarified in the court proceedings. This case illustrates why it is unlikely that the data retention saga will end soon for the CJEU. 

Furthermore, all EU Member States will have to review—and likely reform—their existing data retention laws in light of the criteria set out by the CJEU. This is likely to lead to new controversies and follow-up questions—for example, how to determine when a threat to national security is "serious" and is "genuine and present or foreseeable." So the saga will continue at the national level as well as for the Court.